Path: utzoo!utgpu!jarvis.csri.toronto.edu!mailrus!ames!pasteur!helios.ee.lbl.gov!epb6!envbvs
From: envbvs@epb6.lbl.gov (Brian V. Smith)
Newsgroups: comp.unix.wizards
Subject: Re: Learning about remote users
Message-ID: <2124@helios.ee.lbl.gov>
Date: 16 Mar 89 23:35:40 GMT
References: <199@minya.UUCP>
Sender: usenet@helios.ee.lbl.gov
Reply-To: envbvs@epb6 (Brian V. Smith)
Organization: Lawrence Berkeley Laboratory, Berkeley
Lines: 31


	In article <199@minya.UUCP> jc@minya.UUCP (John Chambers) writes:
	>Suppose that you have a Unix system (BSD, Sys/V, Xenix, etc.) connected to
	>a network via the usual TCP-style networking, and you'd like to learn what
	>you can about who is logging in. The obvious thing to do is to insert some
	>things into the local .login (or .profile or .kshrc or /etc/profile or ...)
	>that invokes a little (?) program whose purpose is to create an audit trail
	>of remote logins.  Is it possible to learn anything interesting about the
	>remote user?
	>
	>The first problem, of course, is identifying which logins are remote, and
	>where they come from.  You can usually determine the latter by looking at
	>the major/minor device numbers on the stdio files, and checking to see if
	>they are pseudo-terminals.  Will this work everywhere?  What systems, if
	>any, are exceptions.
	>

	>As for identifying the originating system, I suspect that it is doable,
	>though I haven't yet determined how to do it.  The evidence I have that
	>it is doable is that who(1) does it on BSD systems.  Does anyone know
	>how it is done?

Yes, the program 'who' shows both the tty (pseudo-tty for remote login)
and the originating machine in parentheses.  This holds true for 4.2BSD,
Ultrix and SunOs systems.  I don't know about any others

Brian V. Smith
Lawrence Berkeley Laboratory, Berkeley
--------------------------------------
We don't need no stinking signatures!
We don't need no stinking signatures!